race condition - yajin · a vulnerable set-uid program • access -> check real user id •...
Post on 11-Oct-2020
0 Views
Preview:
TRANSCRIPT
Race Condition
Yajin Zhou (http://yajin.org)
Zhejiang University
Credits: SEEDLab
http://www.cis.syr.edu/~wedu/seed/
A vulnerable Set-UID program
A vulnerable Set-UID program
• Access -> check real user id
• Open-> check effective user id
• That’s the reason why we need access before open
How to attack
Experiment
Experiment
Experiment
• X->password is stored /etc/shadow
• No x -> password is in /etc/passwd
Experiment
Attack_process.c
Experiment
Target_process.sh
Experiment
Target_process.sh
Experiment
Experiment
Defense
• Atomic operation
• If we can have an option to tell open to use real UID (instead of
effective UID)
• Sticky protection
Defense
• Least privilege
top related